EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. THANKS, added certificates for my bank, works only with internet explorer (also add IE to protected programs). :cool:

    Another reason to use chromium for daily browsing and FW/GPO/EMET/ locked-pinned IE for on-line banking :thumb:
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't recall, but I think that happens because of the XML file formatting.
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Is there any need to add:
    Windows Print Spooler - C:\WINDOWS\system32\spoolsv.exe
    Windows LSASS - C:\WINDOWS\system32\lsass.exe

    I had these added in 3.5, just wondering if there is any need to. I have DEP always on.
     
    Last edited: Jun 17, 2013
  4. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    The first thing I always do is import the popular software profile.
     
  5. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Heads-up... one of the provided links says "If you have EMET 3.0 installed on the system, you don’t need to uninstall it before installing EMET 4.0."

    Upgrading and restarting, the version 3.0 of EMET remained installed and launching.
     
  7. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    spoolsv.exe is a legit Windows Service for Print Spooler but you knew that already. ;)
     
  8. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    You're most welcome ! It took some work getting this finally announced but it's done.

    Regards,

     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Finally here :)
    Found some info on the Certificate Trust feature for browsers other than IE.
     
  10. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    On Win 8 Pro 64 bit

    I'm having trouble with EMET 4.0 and Sandboxie which previously I didn't have with the beta. I can open Firefox sandboxed fine but upon closing Firefox Sandboxie is not allowed to delete the C:\Sandbox contents. In Task Manager Firefox is still open. If I use Terminate All Programs then Firefox closes and the sandbox contents are deleted. Same thing applies to other sandboxed applications I use except, interestingly, wordpad.exe. Anyone else seen this problem?

    BTW, this was with a fresh image.

    Later...
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    https://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Nice find. :thumb:
     
  13. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Interesting......!
    I just upgraded EMET and Sandboxie to 'stable' versions 4 in Windows 8 Pro and discovered that I can't shutdown sandboxed I.E – I have to use SBIE Control to 'Terminate all Programs' to close I.E. No issues with any other sandboxed programs – eg, Firefox or Palemoon. (I did not have any such issue with the beta versions of either EMET or Sandboxie)

    I've gone back to Sandboxie V3.76 and the issue has vanished! So I've assumed it's a Sandboxie problem rather than EMET 4. o_O
     
  14. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Yes, just wondering if it should be added. I have imported the recommended and popular lists and added one legacy app. (WordPerfect).
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  16. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Just found they added the ability to add applications from the process view (right-click process, configure process). Hallelujah! You can even do it en masse.
     
  17. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    My wmplayer is OK with all mitigations ON. Win7 x64 Ultimate.
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    EMET Users Guide page 39.;)
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Yes, they made many nice usability improvements. I remember adding new executables in v3.5 and then having to click all the ROP migitations, clicking 40+ checkboxes one by one is not my idea of having a good time, now you just right click and Enable all migitations which you can do en masse as well. Hallelujah! indeed :D

    Found it in the manual, EMET usually has some unsupported options that are explained there ;)
     
  20. Question: I get all of my HTTPS website pinned, except www.linkedin.com, anyone who got log-in of LinkedIn working without EMET warning?
     
  21. guest

    guest Guest

    Why don't they release this as default for all win7,8 x64 users?

    They should have a database with the most common applications and the protections that can be applied for each one.

    It should install, scan you pc looking for the apps in the database and configure them automatically. And repeat the scan (should take seconds because is looking for a few .exe's) every week or so automatically on boot.

    Also and quite important they should add a purge button in the apps list, in order to delete the old rules, or the rules for apps that are not installed.

    I don't know how to contact with them but I will appreciate if somebody can give them this feedback

    It's is recommended to add svhost.exe?
     
    Last edited by a moderator: Jun 20, 2013
  22. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    I've added all my running processes, including Windows ones with deep hooks enabled and it's worked. Windows 8 64-bit. But no, I wouldn't recommend it because if a patch changes one of those files in a way EMET doesn't like it could ruin your day.

    But I love the edge :)

    Why is this important, or even necessary?
     
  23. guest

    guest Guest

    In order to purge useless rules, and it will help you to easily see if a program that you though was being protected it's not because the route or the name has change in an update.

    Maybe is not that important but is useful :D
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That would be great, actually. I was thinking that Microsoft EMET could actually be automatically distributed through Windows Update and the rules updated to reflect any new process added to its list and modified mitigations to solve issues.

    This would benefit every Windows user out there with Windows Update set to automatically update. I wonder why Microsoft never thought of that.
     
  25. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Would one recommend this configuration for EMET 4.0?

    DEP is set to Always On
    SEHOP is set to Application Opt Out
    ASLR is Application Opt In
    Certificate Trust (Pinning) is set to Enabled

    Or, do you think using the default setting's is a more practical approach?


    DEP is set to Application Opt In
    SEHOP is set to Disabled
    ASLR is Application Opt In
    Certificate Trust (Pinning) is set to Enabled

    Your recommendations for an ideal setup for EMET 4.0 on Windows 8 would be greatly appreciated.

    Thanks
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.